Filter
Top Products
24-25
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Site-To-Site VPN Discovery
• IPsec Technology—The IPsec technology assigned to the VPN—Regular IPsec, IPsec/GRE, GRE
Dynamic IP (sub-technology), DMVPN, Easy VPN, or GET VPN. The topology you select controls
what is available in this list.
If you selected IPsec/GRE, you must also specify the type which may be Standard (for IPsec/GRE)
or Spokes with Dynamic IP (to configure GRE Dynamic IP).
• Discover From—You can either discover the VPN directly from the network or from Configuration
Archive.
–
Network—Security Manager connects to all live devices to obtain the device configuration. For
Extranet VPN discovery, Security Manager connects to the single managed device that you
specify.
–
Config Archive—Discovery from Configuration Archive is recommended if you deploy to
configuration files instead of live devices. The most recent version of the device configuration
in Configuration Archive is used for all devices.
Step 3 Click Next to open the Discover VPN Policies Wizard—Device Selection Page.
Step 4 Select the devices participating in the VPN and their role in the VPN (hub, spoke, peer one, peer two,
local device, key server, group member, or simply selected devices for full-mesh VPNs) depending on
the topology type. For Easy VPN topologies, servers are hubs and clients are spokes.
If there are two or more IPsec terminators in a hub-and-spoke VPN, use the Up and Down arrow buttons
to ensure the primary hub is listed first. When there is only one IPsec terminator, regardless of how many
hubs are connected to the same IPsec terminator, it is not possible to designate one hub as the primary
hub.
For more detailed information on selecting devices for a VPN, see Selecting Devices for Your VPN
Topology, page 24-32.
Step 5 Click Finish to close the wizard and start the discovery process. The Discovery Status window opens
and displays the status of the discovery and indicates whether the discovery of each device has been
successful or has failed (see Viewing Policy Discovery Task Status, page 5-21). Error or warning
messages are provided to indicate the source of any problems, which may be VPN specific or device
specific.
Except for Extranet discovery, when the discovery process completes successfully, and you close the
Discovery Status dialog box, the Site-to-Site VPN Manager window opens, displaying summary
information for the VPN that was discovered. For Extranet discovery, you must either manually open the
Site-to-Site VPN Manager, or select the Site-to-Site VPN policy in Device view, to see the list of
discovered Extranet VPNs.
Step 6 Verify that the VPN polices are as required. Edit the policies as necessary.
Tip When discovering Extranet VPNs, all Extranet VPNs defined on the selected device are
discovered. Delete the ones that you do not want to manage in Security Manager.
Defining or Repairing Discovered VPNs with Multiple Spoke Definitions
If you discover a VPN whose spokes contain different definitions (for example, different client modes
for Easy VPN spokes), Security Manager changes the definitions during discovery to create a uniform
definition for all spokes. This behavior occurs because VPN topologies in Security Manager can contain
only one set of spoke definitions.